How China steals our secrets

Former US counter terrorism director Richard Clarke has another article up in the New York Times entitled “How China Steals Our Secrets.” It’s similar to an article that I wrote about last week. In it, he recounts how nearly all US companies have been breached by the Chinese and many aren’t even aware of it. This is bad because the US does all of the investment in research while the Chinese reap the benefits. It means that the US loses its competitive advantage.

Clarke does have a proposal to fix this:

If given the proper authorization, the United States government could stop files in the process of being stolen from getting to the Chinese hackers. If government agencies were authorized to create a major program to grab stolen data leaving the country, they could drastically reduce today’s wholesale theft of American corporate secrets.

How would this work? How could the US government know that data leaving the country is stolen data?

I began thinking this through. There are a couple of ways to accomplish this:

No traffic arriving from outside the US can take anything back to an IP address located outside the US. In other words, all traffic going to and from critical security companies must stay within the country. This is really heavy handed, though. All Internet traffic?

The other thing I can think of, which makes more sense, is that the government knows what files are stolen property. Similar to the above, they would have to inspect packets of Internet traffic leaving the country, checking it for protected information. How would they know what is protected?

US companies would tell them.

Companies deemed valuable to infrastructure would provide the government with a list of files and the government would keep copies of it on their central database servers. Then, they would inspect all traffic to see if any are contained within outbound traffic.

Of course, corporations wouldn’t just hand over their files in plain text (at least I hope they wouldn’t have to). Instead, they’d hash and obfuscate the data and then the government just has to search for the obfuscated text. This is similar to how distributed checksums work in spam filtering.

On the other hand, I doubt that something like that could take effect. As Clarke points out:

Because it is fearful that government monitoring would be seen as a cover for illegal snooping and a violation of citizens’ privacy, the Obama administration has not even attempted to develop a proposal for spotting and stopping vast industrial espionage. It fears a negative reaction from privacy-rights and Internet-freedom advocates who do not want the government scanning Internet traffic.

This does not have to endanger citizens’ privacy rights. Indeed, Mr. Obama could build in protections like appointing an empowered privacy advocate who could stop abuses or any activity that went beyond halting the theft of important files.

Given how up in arms everyone already is about the NSA and the TSA, would regular Americans stand for government inspecting the Internet, even if there are privacy advocates?

I seriously doubt it.

On the other hand, what the government could do is pass legislation that provides a set of requirements that companies must follow if they are deemed part of critical infrastructure, or strategic investment (i.e., a company with valuable intellectual property). Companies today already have to follow requirements known as FISMA (Federal Information Security Management Act) and compliance with it is a pain, and it’s time consuming, but it’s the price you pay for getting government dollars.

It would truly suck if you had to adhere to all this compliance simply because you were successful and didn’t have government contracts. But on the other hand, if you’re not thinking about security and the government forces you to do it, at least you’re less exposed and the cost of compliance is probably less than the cost of cyber theft.